Fix SSH agent and systemd service race conditions

- bw-ssh-keys.service: use ssh-agent.service, add SSH_AUTH_SOCK env
- Stage 08: enable ssh-agent.socket, mask gcr-ssh-agent before services
- Stage 11: remove SSH agent section (moved to stage 08 for ordering)
- Stage 09: remove stale bw-load-ssh autostart config
- .zshrc: export SSH_AUTH_SOCK to match OpenSSH agent socket
- Remove config/autostart/ (no longer needed)
- porridge daemon: no longer exits on missing API key;
  add SIGHUP handler for live config reload

config/shell/zshrc

@@ -22,6 +22,10 @@ fi
 # ---- PATH setup ----
 export PATH=$HOME/bin:$HOME/.local/bin:/usr/local/bin:$PATH
 
+# ---- SSH agent socket ----
+# Match the socket used by ssh-agent.socket (OpenSSH), not GCR/gnome-keyring.
+export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.sock"
+
 # ---- Oh My Zsh ----
 export ZSH="$HOME/.oh-my-zsh"
 ZSH_THEME="powerlevel10k/powerlevel10k"
@@ -73,3 +77,7 @@ if [ -n "${BW_SESSION:-}" ]; then
     "export " + (.name | gsub(" "; "_")) + "=" + (.value | @sh)
   ' 2>/dev/null)" 2>/dev/null
 fi
+
+# Signal porridge daemon to reload config (picks up newly loaded env vars)
+_pidfile="$HOME/.local/state/porridge/daemon.pid"
+[[ -f "$_pidfile" ]] && kill -HUP "$(cat "$_pidfile")" 2>/dev/null || true

config/systemd/bw-ssh-keys.service

@@ -1,11 +1,14 @@
 [Unit]
 Description=Load Bitwarden SSH keys into ssh-agent
-After=graphical-session.target
+# Use ssh-agent.service (OpenSSH) instead of GCR/gnome-keyring SSH agent
-Wants=graphical-session.target
+# to avoid conflicts — keys are loaded into the socket the terminal sees.
+After=ssh-agent.service
+Wants=ssh-agent.service
 
 [Service]
 Type=oneshot
 Environment=PATH=%h/.local/bin:/usr/local/bin:/usr/bin:/bin
+Environment=SSH_AUTH_SOCK=%t/ssh-agent.sock
 ExecStart=%h/.local/bin/bw-load-ssh.sh
 RemainAfterExit=yes
 Restart=on-failure

stages/08-systemd.sh

@@ -3,12 +3,12 @@
 #  Stage 08: User Systemd Services
 #  Deploys and enables Julian's custom user systemd services.
 # ===========================================================================
-#  On the Pop machine, Julian runs several custom services:
+#  Custom user services:
 #    - porridge.service         : Zoom meeting transcriber daemon
 #    - porridge-dictate.service : Push-to-talk transcription
 #    - pi-overview.service      : Session dashboard on port 3000
-#    - bw-ssh-keys.service      : Load Bitwarden SSH keys at boot
 #    - mempi-sync.service       : Sync memory DB to Nextcloud
+#    - bw-ssh-keys.service      : Load Bitwarden SSH keys into ssh-agent
 #    - empty_downloads.service  : Clear Downloads folder at login
 # ===========================================================================
 
@@ -18,6 +18,27 @@ UNIT_DIR="$HOME/.config/systemd/user"
 
 mkdir -p "$UNIT_DIR"
 
+# ===========================================================================
+#  0. SSH Agent setup — ensure OpenSSH ssh-agent is the active agent
+# ===========================================================================
+# Enable ssh-agent.socket and disable/mask the GCR SSH agent so that
+# bw-ssh-keys.service (below) loads keys into the same agent the user's
+# terminal sees. Must run BEFORE enabling bw-ssh-keys.service.
+if [ "$DISTRO_FAMILY" = "fedora" ]; then
+  info "Setting up OpenSSH ssh-agent..."
+
+  systemctl --user enable --now ssh-agent.socket 2>/dev/null && \
+    ok "ssh-agent.socket enabled." || \
+    warn "ssh-agent.socket not available."
+
+  if systemctl --user list-unit-files gcr-ssh-agent.service &>/dev/null 2>&1; then
+    systemctl --user disable --now gcr-ssh-agent.socket gcr-ssh-agent.service 2>/dev/null || true
+    systemctl --user mask --now gcr-ssh-agent.socket gcr-ssh-agent.service 2>/dev/null && \
+      ok "gcr-ssh-agent disabled (masked)." || \
+      warn "Could not mask gcr-ssh-agent."
+  fi
+fi
+
 info "Deploying user systemd services..."
 
 # ---- Helper: install service file ----
@@ -41,12 +62,12 @@ install_service_file "$SERVICES_DIR/porridge-dictate.service" "porridge-dictate.
 # ---- 3. pi-overview.service — Session dashboard ----
 install_service_file "$SERVICES_DIR/pi-overview.service" "pi-overview.service"
 
-# ---- 4. bw-ssh-keys.service — Load Bitwarden SSH keys at boot ----
+# ---- 4. mempi-sync.service + timer — Sync memory DB to Nextcloud ----
-install_service_file "$SERVICES_DIR/bw-ssh-keys.service" "bw-ssh-keys.service"
-
-# ---- 5. mempi-sync.service + timer — Sync memory DB to Nextcloud ----
 install_service_file "$SERVICES_DIR/mempi-sync.service" "mempi-sync.service"
 
+# ---- 5. bw-ssh-keys.service — Load Bitwarden SSH keys into ssh-agent ----
+install_service_file "$SERVICES_DIR/bw-ssh-keys.service" "bw-ssh-keys.service"
+
 # ---- 6. empty_downloads.service — Clear Downloads at login ----
 install_service_file "$SERVICES_DIR/empty_downloads.service" "empty_downloads.service"
 
@@ -56,9 +77,6 @@ info "Enabling and starting services..."
 # Services that should start automatically (enabled)
 systemctl --user daemon-reload
 
-# Check which scripts from stages 06 and 07 are available before enabling services.
-# This avoids failures when running stages out of order.
-
 if [ -x "$HOME/.local/bin/porridge" ]; then
   systemctl --user enable --now porridge.service 2>/dev/null && ok "porridge.service enabled"
 else
@@ -80,7 +98,7 @@ fi
 if [ -f "$HOME/.local/bin/bw-load-ssh.sh" ]; then
   systemctl --user enable bw-ssh-keys.service 2>/dev/null && ok "bw-ssh-keys.service enabled"
 else
-  warn "bw-ssh-keys.service skipped (script not found — run stage 06 first)."
+  warn "bw-ssh-keys.service skipped (bw-load-ssh.sh not found — run stage 06 first)."
 fi
 
 systemctl --user enable --now empty_downloads.service 2>/dev/null && ok "empty_downloads.service enabled" || warn "empty_downloads.service not started."

stages/09-desktop.sh

@@ -168,7 +168,7 @@ autostart_app() {
   fi
 }
 
-# Apps to autostart at login
+# Apps to autostart at login (from system .desktop files)
 autostart_app "firefox" "org.mozilla.firefox.desktop"
 autostart_app "ghostty" "com.mitchellh.ghostty.desktop"
 autostart_app "nextcloud" "com.nextcloud.desktopclient.nextcloud.desktop"

stages/11-tweaks.sh

@@ -41,5 +41,4 @@ EOF
   fi
   $SERVICE_ENABLE powertop 2>/dev/null && ok "PowerTOP auto-tune enabled." || true
 fi
-
 ok "Stage 11 complete: system tweaks applied."